JWT & OAuth
JWT & OAuth
0 Authentication
1. Introduction
JWT Authentication
1. Header: Contains the type of token (JWT) and the hashing algorithm
(e.g., HS256 or RS256).
6. HMACSHA256(base64UrlEncode(header) + "." +
base64UrlEncode(payload), secret)
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmF
tZSI6IkpvaG4gRG9lIiw
iYWRtaW4iOnRydWV9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
1. User Login:
2. Token Issuance:
o If credentials are valid, the server creates a JWT containing
user claims (e.g., user ID, roles) and signs it with a secret key.
3. Token Storage:
4. Authenticated Requests:
5. Server Validation:
Decoding it.
6. Token Expiry:
1. User Authentication:
2. Authorization Code:
4. Resource Access:
The client collects the user's username and password and sends
them to the authorization server to get a token.
1. Authorization Request:
o The client redirects the user to the authorization server:
o GET /authorize?
response_type=code&client_id=CLIENT_ID&redirect_uri=CALL
BACK_URL&scope=read
o Parameters:
2. User Consent:
3. Authorization Code:
o https://client.com/callback?code=AUTH_CODE
o POST /token
o Content-Type: application/x-www-form-urlencoded
o client_id=CLIENT_ID&client_secret=CLIENT_SECRET&code=AU
TH_CODE&grant_type=authorization_code
5. Access Resources:
o If the access token expires, the client uses the refresh token to
obtain a new access token without requiring user interaction:
o POST /token
o Content-Type: application/x-www-form-urlencoded
o client_id=CLIENT_ID&client_secret=CLIENT_SECRET&refresh_t
oken=REFRESH_TOKEN&grant_type=refresh_token
1. JWT Implementation
o Include dependencies:
o <dependency>
o <groupId>io.jsonwebtoken</groupId>
o <artifactId>jjwt</artifactId>
o <version>0.9.1</version>
o </dependency>
o <dependency>
o <groupId>org.springframework.boot</groupId>
o <artifactId>spring-boot-starter-security</artifactId>
o </dependency>
2. import io.jsonwebtoken.Jwts;
3. import io.jsonwebtoken.SignatureAlgorithm;
4.
5. import java.util.Date;
6.
9.
12. .setSubject(username)
16. .compact();
17. }
18. }
19. Use the Utility in Your Controller:
20. @RestController
22. @PostMapping("/login")
28. }
29. return
ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
30. }
31. }
32.
37. }
2. import io.jsonwebtoken.Claims;
3. import io.jsonwebtoken.Jwts;
4.
7.
9. return Jwts.parser()
10. .setSigningKey(SECRET_KEY)
11. .parseClaimsJws(token)
12. .getBody();
13. }
14. }
20.
23.
25.
27. @Override
35.
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
36. return;
37. }
39. }
41. }
42. }
44. @Configuration
46. @Override
49. }
50. }
1. Include Dependencies:
2. <dependency>
3. <groupId>org.springframework.boot</groupId>
4.
<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
5. </dependency>
6. <dependency>
7. <groupId>org.springframework.boot</groupId>
8. <artifactId>spring-boot-starter-oauth2-client</artifactId>
9. </dependency>
1. Application Properties:
2. spring.security.oauth2.resourceserver.jwt.issuer-uri=https://
issuer.example.com
4. @Configuration
6. @Override
8. http.authorizeRequests()
9. .antMatchers("/public/**").permitAll()
10. .anyRequest().authenticated()
11. .and()
12. .oauth2ResourceServer()
13. .jwt();
14. }
15. }
2. import org.springframework.security.access.prepost.PreAuthorize;
3.
4. @RestController
6. @GetMapping("/protected")
7. @PreAuthorize("hasAuthority('SCOPE_read')")
10. }
11. }
Token
Client-side Managed by the client application
Storage